Fortify SCA supports a rich set of development environments, languages, platforms, and frameworks, enabling security checks for mixed development and production environments. Over 911,000 component-level APIs in 25 programming languages Detect over 961 vulnerability categories All major platforms, build environments, and IDEs are supported.
Fortify SCA is a commercial software, the price is relatively expensive, so I only found an early version to try. Because it is a commercial software, it has detailed documentation, which is very convenient to consult. It supports some IDE plug-in functions, and there will be options during installation.
The code audit function of Fortify SCA depends on its rule base file. We can download the updated rule base and place it in the corresponding location under the installation directory. The bin file is placed in the Coreconfigrules folder under the installation directory, and the xml file is placed in the CoreconfigExternalMetadata folder (if the folder does not exist, create a new one).
Open Audit Workbench, click Start New Project->Advanced Scan option to quickly start an audit task. Select the root directory of the application to be audited, select the rule base to be used in the Additional Options option, select the corresponding option in the four questions raised by the Audit Guide, and click Run Scan.
Supported programming languages:
Supported IDEs
Eclipse
IntelliJ Ultimate
IntelliJ Community Android Studio
IBM Rational Application Developer (RAD)
IBM Rational Software Architect (RSA)
Microsoft Visual Studio
Supported build tools
Ant
Jenkins
Maven
MSBuild
Xcodebuild
Supported Defect Management Platforms
Yes
ALM
With Bugz
Supported code management tools
Git
SVN
TFS
Covers Numerous Vulnerabilities
Includes 810+ SAST vulnerability classifications to ensure compliance with standards such as OWASP Top 10, CWE/SANS Top 25, DISA STIG, and PCI DSS.